VYPR
← All advisories
Medium severity4.4NVD Advisory· Published Apr 22, 2026· Updated Apr 27, 2026

CVE-2026-35347

CVE-2026-35347

Description

The comm utility in uutils coreutils incorrectly consumes data from non-regular file inputs before performing comparison operations. The are_files_identical function opens and reads from both input paths to compare content without first verifying if the paths refer to regular files. If an input path is a FIFO or a pipe, this pre-read operation drains the stream, leading to silent data loss before the actual comparison logic is executed. Additionally, the utility may hang indefinitely if it attempts to pre-read from infinite streams like /dev/zero.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
coreutilscrates.io
< 0.6.00.6.0

Affected products

1

Patches

1
75f45e87e52e

comm: fix comparison when reading from pipes (#9545)

https://github.com/uutils/coreutilsMartin KunkelJan 17, 2026via ghsa
commit
3 files changed · +45 0
  • Cargo.toml+1 0 modified
    @@ -549,6 +549,7 @@ uutests.workspace = true
 uucore = { workspace = true, features = [
   "mode",
   "entries",
+  "pipes",
   "process",
   "signals",
   "utmpx",
  • src/uu/comm/src/comm.rs+5 0 modified
    @@ -136,6 +136,11 @@ pub fn are_files_identical(path1: &Path, path2: &Path) -> io::Result<bool> {
         return Ok(false);
     }
 
+    // only proceed if both are regular files
+    if !metadata1.is_file() || !metadata2.is_file() {
+        return Ok(false);
+    }
+
     let file1 = File::open(path1)?;
     let file2 = File::open(path2)?;
  • tests/by-util/test_comm.rs+39 0 modified
    @@ -648,3 +648,42 @@ fn test_comm_eintr_handling() {
         .stdout_contains("line2")
         .stdout_contains("line3");
 }
+
+#[test]
+#[cfg(any(target_os = "linux", target_os = "android"))]
+fn test_comm_anonymous_pipes() {
+    use std::{io::Write, os::fd::AsRawFd, process};
+    use uucore::pipes::pipe;
+
+    let scene = TestScenario::new(util_name!());
+
+    // Open two anonymous pipes
+    let (comm1_reader, mut comm1_writer) = pipe().unwrap();
+    let (comm2_reader, mut comm2_writer) = pipe().unwrap();
+
+    // comm reads the data in chunks
+    // make content large enough, so that at least two chunks are read
+    // default buffer size is 8192, so with 6 characters (5 digits + \n) per line we need to write at least 1366 lines
+
+    // write 1500 lines into comm1: 00000\n00001\n...01500\n
+    let mut content = String::new();
+    for i in 0..1500 {
+        content.push_str(&format!("{i:05}\n"));
+    }
+    assert!(comm1_writer.write_all(content.as_bytes()).is_ok());
+    drop(comm1_writer);
+
+    // write into comm2: 00000\n00001\n...01500\n99999\n
+    content.push_str("99999\n");
+    assert!(comm2_writer.write_all(content.as_bytes()).is_ok());
+    drop(comm2_writer);
+
+    // run comm, showing unique lines in second input
+    let comm1_fd = format!("/proc/{}/fd/{}", process::id(), comm1_reader.as_raw_fd());
+    let comm2_fd = format!("/proc/{}/fd/{}", process::id(), comm2_reader.as_raw_fd());
+    scene
+        .ucmd()
+        .args(&["-13", &comm1_fd, &comm2_fd])
+        .succeeds()
+        .stdout_is("99999\n");
+}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.